Issue: Office 365 Web apps users (SharePoint Online, Office.com, OWA etc.) will receive the MFA prompt every time after opening the browser.
Ideally the browser should honor the “Stay signed in?” messages when there are no session lifetime settings configured.
When the user click Yes, the persistent browser cookie will get saved and work for 90 days. However if the user states changes it will be refreshed.
I’ve recently noticed, even though the above setting is setup, users will still get the re-authenticate when they close and open web apps. This is the same even after clearing browser cache and updating the browser.
Solution:
If you are using Conditional Access Policies to configure MFA, make sure you have check the Always Persistent option in the Session section in your MFA Conditional Access Policy.
Note that this will override the “Stay signed in” message and the cookie will get saved regardless until the user state changes. This is best to setup in a non Azure AD managed device, but still you can use it in a Azure AD Registered device or a Non-managed device according to Microsoft.
If you are using the free tire of Azure AD, make sure the Remember my device option is selected. Users will have option to consent to remember the device.
MFA Conditional Access Policy view
Azure AD Free tier Setting
Azure AD -> Users -> Multi Factor Authentication -> Service Settings
Discover more from EMS Route
Subscribe to get the latest posts to your email.
EMS Route 